Hi there,

We have an internal document where we condensed both of these information sources, but it's written in German. If you (Fortinet) like, I can translate it for you and you may publish it as KB?

Some of the main things you have to dig a while before finding it out by yourself:

Most common functions:

• toDateTime($_year, $_month, $_day, $_time) converts single values of a time to a datetime object necessary for events
• combineMsgId($_var1, $_var2, "eigener Text", $hostVLAN, ...) combines strings
• convertStrToIntIpProto($_string) converts a string to an integer that is usually needed for ip things; there is also: convertStrToIntIpPort().
• add($_number1, $_number2), divide, scale for math
• replaceStringByRegex($_input, "regex", "replacment String") for replacing strings
• getEventSeverityFromSyslogPriority($_syslogPrio) converts the syslog priority within the brackets at the beginning of the message to the FSM priority (eventSeverity attribute)

Global RegEx patterns:

• You can find them at /opt/phoenix/config/xml/GeneralPatternDefinitions.xml (which will be overwritten when updating!). Most interesting ones:
  • gPatSyslogPRI takes the priortiy out of a syslog message (like <134>)
  • gPatMesgBody or gPatMesgBodyMin takes the end of the message
  • gPatSyslogNGHeader takes a standard-formed time out of the syslog message (unfortunately, most syslog message have their custom time format)
  • gPatMon/gPatMonNum/gPatDay/gPatTime/gPatYear/gPatMSec/gPatTimeMSec/gPatTimeZone/gPatWeekday finds parts of dates/times
  • gPatIpV4Dot/gPatIpAddr (IPv6)/gPatIpPort/gPatProto for network information
  • gPatFqdn/gPatWord/gPatWord/gPatStr/gPatHostName/gPatStrComma/gPatStrLeftParen/gPatStrRightSB/gPatInt/gPatSpace/gPatStrEndColon/gPatStrSQ (single quotes)/gPatDQ (double quotes)/gPatSentence

Best,

Christian

I will be really appreciated, if you can translate it, would help!

Thanks for your reply, appreciated!